Hide Your SSID?

I have a wireless network at home, which lets me get an internet connection on my laptop all over the house. But I'm concerned that neighbors or people driving by can hack into my computer. A friend said that hiding my SSID will solve the problem. What's a wireless SSID, how do I hide it, and will it help?

Does Hiding the SSID Make Wireless Secure?

If you have high-speed internet service, chances are you have a wireless router. If that's true, you may be sharing your internet connection (and possibly your hard drive) with strangers. Your friend who mentioned hiding the SSID meant well, but that's not the best solution to securing your wireless network.

Let's take a step back... If your internet router/modem has an antenna, you've got a wireless network. Wireless routers send out a beacon called the SSID (or Service Set IDentifier) so wireless devices (such as a laptop) can identify and connect to the wireless network. The purpose of the SSID is to broadcast the availability of the wireless network and invite devices within range of the signal to connect.

If a device doesn't know the wireless network's SSID, it cannot connect. So that's why some people recommend that you change the settings on your router to keep it from broadcasting the SSID. This allows only the people who already know the SSID to connect to the wireless network.

It's true that hiding or turning off the SSID beacon will effectively hide your wireless network... but only from casual users. Determined hackers with the right software can still detect the SSID of a wireless network, and gain access. It's also possible that hiding your SSID will result in slower network performance, or at least increase the initial connect time.

If you understand that hiding the SSID gives only minimal protection from intruders, and you still want to do so, you can change this setting by logging into your router from a web browser. In most cases, you'll need to connect to http://192.168.0.1 then enter the router's login and password. If the person who installed the router didn't change the factory settings, there's a good chance the login is admin and the password is password.

Refer to the owner's manual for your wireless router (or ask your internet service provider) for details on how to login to the router and change the SSID or other security settings.

Secure Wireless Networking

Given that hiding the SSID doesn't do a whole lot to secure a wireless network, here are some steps you can take that WILL help. For each of the steps that follow, I'm assuming you have logged into your router...

STEP 1: Change the router's login and password from the default. If your wireless router still has the factory default login and password, then ANYONE could connect to the router, change the settings and lock YOU out!

STEP 2: Change the SSID from the default setting to something meaningful. Most routers are configured with an SSID name of default. It won't do much good to turn off the SSID beacon if the SSID can be so easily guessed. Set the SSID to something unique and memorable like FLUFFY2 or FIDO7.

STEP 3: Turn on encryption. This is the most important step by far. If you turn on WEP or WPA encryption, the router will not give access to wireless devices unless they provide the password you specify. This will also encrypt all communication between your wireless computer and the router. If your router supports WPA (or WPA/PSK) use that instead of WEP, which is an older technology.

For additional help with home networking and secure wireless computing, see the articles below:

Most recent comments on "Hide Your SSID?"

Posted by:
David
15 Dec 2006

New routers may include WPA2 which is even better than WPA. I've also heard that changing the channel to 5 or 11 may reduce the area interference, particularly if neighbors are using the default channel (usually 6). This does not improve security but can improve speed.

Posted by:
Matt
15 Dec 2006

One important thing you might want to add is that the SSID should not be something that will make it easier for someone to figure out which house / apartment your network is from. In other words, use something easy to remember but not personally identifiable. Don't use your address!

And changing the default admin username and password is of the utmost importance, I actually locked one of my buddies out of his network because he did not. I only did it to show him he should have changed it, but what if it had not been me?

Posted by:
Willum
15 Dec 2006

Whilst all the information you provided with reference to wireless connection security is good and valid, you failed to mention the 'MAC' address code which all wireless cards possess. You can set up the router to only accept a connection from other wireless linked computers, by defining the MAC address of the wireless card or cards, in the router's set-up procedure.

MAC addresses are unique to each wireless networking card and it is 'burned' into ROM during manufacture. This applies to either a separate card, or the networking hardware built-in to a laptop. The MAC address is normally a 48 bit code, which provides over 280 Trillion possible MAC addresses.

This being the case, it will make hacking in to a system very difficult, if not impossible, since only a wireless card, or cards, bearing a MAC address or addresses, which have been defined in the router set-up, will be able to establish a connection to the router.

The set-up procedure is very simple and the MAC address for each card is identified on the card, in the format xx:xx:xx:xx:xx:xx:xx:xx where 'x' is a hexadecimal digit.

EDITOR'S NOTE: It may not be a big deal for you to open a PC or laptop, find the network adapter, and copy down a long string of numbers and letters. But trust me... this is WAY beyond the comfort level of most computer users!

Posted by:
Ed Button
15 Dec 2006

There is a fourth important step in securing a home wireless network. Most wireless routers support the enforcement of an Ethernet Media Access Control (MAC) Access Control List (ACL). Every ethernet device is assigned a unique MAC address by the manufacturer. It is usually printed somewhere on the outside of the device and it can also be determined by using the Windows command: ipconfig /all

When a MAC ACL is enforced in the router, only MAC addresses that have been added to the ACL can connect. A connection request by any device with a "foreign" MAC is denied. Admittedly, this fourth security step can be overcome by a sophisticated and determined hacker, but it is one more important layer of defense for the network owner.

Posted by:
Mahesh
20 Dec 2006

I think Bob has forgotten that there's an easier way to view your network card's MAC - use "ipconfig /all" on Windows, and similar commands on other OSs. Restricting your WiFi network to known MACs is an excellent idea, IMO, and is definitely worth the trouble.

EDITOR'S NOTE: So noted!

Posted by:
Tom Bullock
31 Dec 2006

Bob, I used this and the related article to improve the security of my wireless network. In so doing I had to contact my ISP since I had no router owner's manual. That was a learning experience! I ended up with 128 bit encryption. In the course of learning, I encountered the following message: "TKIP requires either 64 hexadecimal characters or an ASCII "pass phrase" between 8 and 63 alphanumeric characters". Please explain TKIP and compare that to 128 bit encryption. Is that something I can invoke on my own or is it dependent on hardware or software? [My ISP supports WEP-ONLY (not WPA).] Also, where can I find a list of ASCII characters to develop a "pass phrase", which I take to mean just a long password.

EDITOR'S NOTE: TKIP (Temporal Key Integrity Protocol) is a security protocol designed to replace the the older WEP standard, without the need to replace router hardware. In other words, it's better than WEP, not as good as WPA, but it's the best you can do on an older router whose hardware does not support WPA. ASCII characters are just plain text (A-Z and 0-9, with a few other special characters) so yes -- it's computerese for "long password phrase".

Posted by:
veeru
12 Apr 2007

Sir, Is there any command to find the SSID of the Wireless network.

EDITOR'S NOTE: You can login to the router with your browser to see the SSID.

Posted by:
Ron
08 Jul 2007

I have a PalmOne hand-held gadget, and I don't know the equivalent of the IPCONFIG command to find it's MAC address -- but there was an easy workaround. I set my wireless router to allow "anyone" to log on provided they know my (hidden) SSID and WPA passphrase. I logged on with the PalmOne, then used the browser on my PC to connect to the router and view the list of current connections, and it gave me the MAC address of my PalmOne. After adding that MAC address to the list, I reset the router to only accept connections from that list.

Posted by:
v3x
02 Dec 2007

I agro with your analysis of hiding your SSID. I would like to make it clear that using the MAC ACL to deny access is about equally as fruitless as hiding your SSID. Cloning a MAC address is very simple in linux/unix. You take down your interface, issue a command to change it (dont recall off hand) and bring the interface back up. In Windows you can download a program that will change your MAC address for you. By using MAC ACLs, you should inform your user that they may lock themselves out if they type the MAC incorrect or have to change their network card for any reason. WEP can be broken in a matter of minutes. My suggestion as far as encryption goes is to not use WEP. Instead use WPA or WPA2. Additionally, if you have the option use AES instead of TKIP. AES is a NSA approved method for encrypting classified information so I think it is good enough for a wireless connection. Also, in some routers there is an option to make your wired network invisible to connections made through the wireless portion of the router. This can help to keep a less skilled hacker from getting to your wired computers once they have broke into your wireless network. The only method known for breaking WPA last I heard is to bruteforce the key. Therefor when you chose a WPA key, make it as random as you can and use all available keys to include special keys, and make it as long as possible as per the capability of your hardware.

Posted by:
Karsten Wade
01 Oct 2008

In your instructions, you direct the reader to connect to the wireless device as the administrator using unencrypted HTTP. As you note, that is likely the default configuration (as well as username and password for Linksys products.) (Finding other administrator default usernames and passwords can be found on the various manufacturer websites, in the product manuals.)

If the user connects via wireless using HTTP and the admin password, then anyone else using that wireless connection could sniff the password from the air. Again, this is not something a casual hitchhiker would do, it takes knowledge and software. But if a malicious hitchhiker is already connected and watching for passwords, then you have defeated the entire purpose of making the network more secure! That malicious person can use the password to gain access to learn the encryption password, etc.

If the HTTPS is not available by default over the wireless for admin purposes, another possible idea is to connect only via a cable. It then depends on if the access point segments the traffic enough that it cannot be sniffed.

Tough chicken-and-egg situation, I wish manufacturers made HTTPS the default or only way to connect to their unit's web admin UI.

Posted by:
Ranga
20 Dec 2008

I have setup my router using WPA key and also changed the router admin password. Recently I discovered something and want to check with you for advice. If I type 192.168.0.1 from IE (this is common DLINK router address) I will be allowed to login to my router with "admin" as user-ID and spaces as password. It doesnt let you change any settings (becuase incorrect pswd), but it lets browse through router settings, where one can easily read WPA key (WPA key is not *** here).

EDITOR'S NOTE: Something is wrong with your router software if you can see all that without logging in. You might try doing a factory reset, then setting passwords for all defined users on the router.

Posted by:
Glen
05 Aug 2009

Hi Bob,

Recently Comcast has upgraded my service by doubling the speed. I have a Netgear RP614 router in line and when I go directly through the cable modem I can pickup the hi speed, when I add the router in-line (I left it in-line for safety sakes) it drops back down to original speed I started with. I don't know how to reprogram the router for the higher speed if need be. I have pulled the power to both devices for reset to reinstall them, but, to no gain in speed. Could I be walked through this procedure or due I need a new router to pick-up the extra speed?

EDITOR'S NOTE: I assume you are wanting the extra protection of the firewall and NAT router. Usually the modem and router are combined in one box. Are you sure your cable modem is not also a router?

Posted by:
jim
20 Aug 2010

I have to agree re the MACy address - they are simple to spoof for a hacker and offer NO protection (I got this from real hackers who work to secure companies). Likewise hiding your SSID is useless and in fact, violates the wireless standards and not meant for security - it is just an ID. Despite what you think, many things are still broadcast in the clear and anyone with a sniffer can break in easily. The guys we met with had all the information they needed to break into nearly all the laptops in our local Paneras while waiting for our meeting. Scary stuff out there. WPA2 is your best bet for now.

Posted by:
Joeseph
19 Feb 2011

There is a privacy flaw in the recommendations here.

Your last-connected SSID is divulged by your radio NIC; so if that preferred SSID is unique, then someone who knows you can connect the dots.

In essence, no matter where you connect, they can tell where you came from (i.e., your prior connection).

This is because the last-connected SSID is disclosed in the "association request" frame.

So, by following the recommendations here, you increase home security only slightly but you compromise hotspot privacy slightly.

Posted by:
Boris C.
27 Jun 2011

I suggest you to get a little creative and name SSID something that would be perceived by people as npt in working condition or something that would deter hackers.

Posted by:
Daniel
17 Jul 2012

I've someone who is trying to connect to my wifi almost everyday. This is done very few minutes for hours. So I guess he must be using some sort of machine to scan and try to hack into my wifi.

I know the MAC address of this guy. Is it possible to catch the culprit by knowing his MAC address? If not, what option do I have? I am worried one day he maybe able to crack my password as he is using machine to do it.

EDITOR'S NOTE: Use WPA2, set a really good password, and rest easy. See these links:
http://askbobrankin.com/is_your_wireless_router_really_secure.html
http://askbobrankin.com/hey_is_this_your_password.html

Posted by:
Pat J.
26 Mar 2013

slightly off-topic but i have a comment: I tried disabeling the SSID broadcast for my wifi router once. When the SSID broadcast was off, my wireless computers and portable devices couldn't connect to the AP. fun. :p As soon as i turned SSID broadcast on, my devices could connect to the access point.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.